You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@sentry.apache.org by sr...@apache.org on 2015/10/31 06:55:08 UTC
incubator-sentry git commit: SENTRY-936: getGroup and getUser should
always return orginal hdfs values for paths in prefix which are not sentry
managed (Sravya Tirukkovalur, Reviewed by Lenni Kuff)
Repository: incubator-sentry
Updated Branches:
refs/heads/master 52ec19483 -> 9615cc58b
SENTRY-936: getGroup and getUser should always return orginal hdfs values for paths in prefix which are not sentry managed (Sravya Tirukkovalur, Reviewed by Lenni Kuff)
Project: http://git-wip-us.apache.org/repos/asf/incubator-sentry/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-sentry/commit/9615cc58
Tree: http://git-wip-us.apache.org/repos/asf/incubator-sentry/tree/9615cc58
Diff: http://git-wip-us.apache.org/repos/asf/incubator-sentry/diff/9615cc58
Branch: refs/heads/master
Commit: 9615cc58b680e1153bd475e8549438d460c90f05
Parents: 52ec194
Author: Sravya Tirukkovalur <sr...@cloudera.com>
Authored: Thu Oct 29 18:33:32 2015 -0700
Committer: Sravya Tirukkovalur <sr...@cloudera.com>
Committed: Fri Oct 30 22:54:32 2015 -0700
----------------------------------------------------------------------
.../hdfs/SentryAuthorizationProvider.java | 51 ++++++--------------
.../sentry/hdfs/SentryAuthorizationInfoX.java | 4 +-
.../hdfs/TestSentryAuthorizationProvider.java | 14 +++++-
3 files changed, 31 insertions(+), 38 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/9615cc58/sentry-hdfs/sentry-hdfs-namenode-plugin/src/main/java/org/apache/sentry/hdfs/SentryAuthorizationProvider.java
----------------------------------------------------------------------
diff --git a/sentry-hdfs/sentry-hdfs-namenode-plugin/src/main/java/org/apache/sentry/hdfs/SentryAuthorizationProvider.java b/sentry-hdfs/sentry-hdfs-namenode-plugin/src/main/java/org/apache/sentry/hdfs/SentryAuthorizationProvider.java
index d167183..419ab68 100644
--- a/sentry-hdfs/sentry-hdfs-namenode-plugin/src/main/java/org/apache/sentry/hdfs/SentryAuthorizationProvider.java
+++ b/sentry-hdfs/sentry-hdfs-namenode-plugin/src/main/java/org/apache/sentry/hdfs/SentryAuthorizationProvider.java
@@ -204,16 +204,10 @@ public class SentryAuthorizationProvider
String[] pathElements = getPathElements(node);
if (!authzInfo.isManaged(pathElements)) {
user = defaultAuthzProvider.getUser(node, snapshotId);
+ } else if (!authzInfo.doesBelongToAuthzObject(pathElements)) {
+ user = defaultAuthzProvider.getUser(node, snapshotId);
} else {
- if (!authzInfo.isStale()) {
- if (authzInfo.doesBelongToAuthzObject(pathElements)) {
- user = this.user;
- } else {
- user = defaultAuthzProvider.getUser(node, snapshotId);
- }
- } else {
user = this.user;
- }
}
return user;
}
@@ -229,16 +223,10 @@ public class SentryAuthorizationProvider
String[] pathElements = getPathElements(node);
if (!authzInfo.isManaged(pathElements)) {
group = getDefaultProviderGroup(node, snapshotId);
+ } else if (!authzInfo.doesBelongToAuthzObject(pathElements)) {
+ group = getDefaultProviderGroup(node, snapshotId);
} else {
- if (!authzInfo.isStale()) {
- if (authzInfo.doesBelongToAuthzObject(pathElements)) {
- group = this.group;
- } else {
- group = getDefaultProviderGroup(node, snapshotId);
- }
- } else {
- group = this.group;
- }
+ group = this.group;
}
return group;
}
@@ -256,7 +244,10 @@ public class SentryAuthorizationProvider
String[] pathElements = getPathElements(node);
if (!authzInfo.isManaged(pathElements)) {
permission = defaultAuthzProvider.getFsPermission(node, snapshotId);
- } else {
+ } else if (!authzInfo.doesBelongToAuthzObject(pathElements)) {
+ permission = defaultAuthzProvider.getFsPermission(node, snapshotId);
+ }
+ else {
FsPermission returnPerm = this.permission;
// Handle case when prefix directory is itself associated with an
// authorizable object (default db directory in hive)
@@ -269,15 +260,7 @@ public class SentryAuthorizationProvider
break;
}
}
- if (!authzInfo.isStale()) {
- if (authzInfo.doesBelongToAuthzObject(pathElements)) {
- permission = returnPerm;
- } else {
- permission = defaultAuthzProvider.getFsPermission(node, snapshotId);
- }
- } else {
- permission = returnPerm;
- }
+ permission = returnPerm;
}
return permission;
}
@@ -321,8 +304,12 @@ public class SentryAuthorizationProvider
if (!authzInfo.isManaged(pathElements)) {
isManaged = false;
f = defaultAuthzProvider.getAclFeature(node, snapshotId);
+ } else if (!authzInfo.doesBelongToAuthzObject(pathElements)) {
+ isManaged = true;
+ f = defaultAuthzProvider.getAclFeature(node, snapshotId);
} else {
isManaged = true;
+ hasAuthzObj = true;
aclMap = new HashMap<String, AclEntry>();
if (originalAuthzAsAcl) {
String user = defaultAuthzProvider.getUser(node, snapshotId);
@@ -335,14 +322,8 @@ public class SentryAuthorizationProvider
}
if (!authzInfo.isStale()) {
isStale = false;
- if (authzInfo.doesBelongToAuthzObject(pathElements)) {
- hasAuthzObj = true;
- addToACLMap(aclMap, authzInfo.getAclEntries(pathElements));
- f = new SentryAclFeature(ImmutableList.copyOf(aclMap.values()));
- } else {
- hasAuthzObj = false;
- f = defaultAuthzProvider.getAclFeature(node, snapshotId);
- }
+ addToACLMap(aclMap, authzInfo.getAclEntries(pathElements));
+ f = new SentryAclFeature(ImmutableList.copyOf(aclMap.values()));
} else {
isStale = true;
f = new SentryAclFeature(ImmutableList.copyOf(aclMap.values()));
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/9615cc58/sentry-hdfs/sentry-hdfs-namenode-plugin/src/test/java/org/apache/sentry/hdfs/SentryAuthorizationInfoX.java
----------------------------------------------------------------------
diff --git a/sentry-hdfs/sentry-hdfs-namenode-plugin/src/test/java/org/apache/sentry/hdfs/SentryAuthorizationInfoX.java b/sentry-hdfs/sentry-hdfs-namenode-plugin/src/test/java/org/apache/sentry/hdfs/SentryAuthorizationInfoX.java
index 4cebed2..0ed290d 100644
--- a/sentry-hdfs/sentry-hdfs-namenode-plugin/src/test/java/org/apache/sentry/hdfs/SentryAuthorizationInfoX.java
+++ b/sentry-hdfs/sentry-hdfs-namenode-plugin/src/test/java/org/apache/sentry/hdfs/SentryAuthorizationInfoX.java
@@ -29,6 +29,7 @@ public class SentryAuthorizationInfoX extends SentryAuthorizationInfo {
public SentryAuthorizationInfoX() {
super(new String[]{"/user/authz"});
+ System.setProperty("test.stale", "false");
}
@Override
@@ -48,7 +49,8 @@ public class SentryAuthorizationInfoX extends SentryAuthorizationInfo {
@Override
public boolean isStale() {
- return false;
+ String stale = System.getProperty("test.stale");
+ return stale.equalsIgnoreCase("true");
}
private static final String[] MANAGED = {"user", "authz"};
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/9615cc58/sentry-hdfs/sentry-hdfs-namenode-plugin/src/test/java/org/apache/sentry/hdfs/TestSentryAuthorizationProvider.java
----------------------------------------------------------------------
diff --git a/sentry-hdfs/sentry-hdfs-namenode-plugin/src/test/java/org/apache/sentry/hdfs/TestSentryAuthorizationProvider.java b/sentry-hdfs/sentry-hdfs-namenode-plugin/src/test/java/org/apache/sentry/hdfs/TestSentryAuthorizationProvider.java
index 40b803e..fd5146f 100644
--- a/sentry-hdfs/sentry-hdfs-namenode-plugin/src/test/java/org/apache/sentry/hdfs/TestSentryAuthorizationProvider.java
+++ b/sentry-hdfs/sentry-hdfs-namenode-plugin/src/test/java/org/apache/sentry/hdfs/TestSentryAuthorizationProvider.java
@@ -133,7 +133,7 @@ public class TestSentryAuthorizationProvider {
path = new Path("/user/authz/obj");
Assert.assertEquals("hive", fs.getFileStatus(path).getOwner());
Assert.assertEquals("hive", fs.getFileStatus(path).getGroup());
- Assert.assertEquals(new FsPermission((short) 0770), fs.getFileStatus(path).getPermission());
+ Assert.assertEquals(new FsPermission((short) 0771), fs.getFileStatus(path).getPermission());
Assert.assertFalse(fs.getAclStatus(path).getEntries().isEmpty());
List<AclEntry> acls = new ArrayList<AclEntry>();
@@ -146,7 +146,7 @@ public class TestSentryAuthorizationProvider {
path = new Path("/user/authz/obj/xxx");
Assert.assertEquals("hive", fs.getFileStatus(path).getOwner());
Assert.assertEquals("hive", fs.getFileStatus(path).getGroup());
- Assert.assertEquals(new FsPermission((short) 0770), fs.getFileStatus(path).getPermission());
+ Assert.assertEquals(new FsPermission((short) 0771), fs.getFileStatus(path).getPermission());
Assert.assertFalse(fs.getAclStatus(path).getEntries().isEmpty());
Path path2 = new Path("/user/authz/obj/path2");
@@ -159,6 +159,16 @@ public class TestSentryAuthorizationProvider {
Assert.assertEquals("supergroup", fs.getFileStatus(path).getGroup());
Assert.assertEquals(new FsPermission((short) 0755), fs.getFileStatus(path).getPermission());
Assert.assertTrue(fs.getAclStatus(path).getEntries().isEmpty());
+
+ //stale and dir inside of prefix, obj
+ System.setProperty("test.stale", "true");
+ path = new Path("/user/authz/xxx");
+ status = fs.getFileStatus(path);
+ Assert.assertEquals(sysUser, status.getOwner());
+ Assert.assertEquals("supergroup", status.getGroup());
+ Assert.assertEquals(new FsPermission((short) 0755), status.getPermission());
+ Assert.assertTrue(fs.getAclStatus(path).getEntries().isEmpty());
+
return null;
}
});